Tackling privacy, security on the Web

By Diane Frank

Feb 04, 2001

Security and privacy are enablers of — and stumbling blocks for — e-government. Every time agencies consider moving services to the Internet, the security of the transaction and the privacy of the information must be addressed upfront.

This is the conclusion of a joint government/industry group that last month released the "Securing Electronic Government" guide for agencies. The guide outlines the issues, such as data confidentiality and user authentication, that agencies should consider before putting programs on the World Wide Web.

"The CIO community...observed that the challenge of federal agencies leveraging Internet technology came with a requirement that we be able to provide adequate security for these electronic services," said John Gilligan, co-chairman of the CIO Council's Security, Privacy and Critical Infrastructure Committee, which helped develop the guide.

During the past three years, the Clinton administration and Congress gave agencies a lot of regulations and guidance to follow. Now the issue is compliance.

In 1998, Clinton created the position of chief privacy counsel at the Office of Management and Budget to coordinate the administration's emerging electronic privacy policies and check on agency actions. The position disappeared when the Clinton administration ended, but privacy advocates are already urging President Bush to establish a similar position or office, said Ari Schwartz, a policy analyst with the Center for Democracy and Technology.

Through a policy issued in February 2000, OMB pushed agencies to consider security and privacy before developing new systems. Starting with the fiscal 2002 budget, agencies will be denied any information technology funding request that does not include appropriate security measures.

In another attempt to make security part of agency management, Congress passed the Government Information Security Reform Act. Starting this year, agencies will undergo an annual independent evaluation of their security practices and policies, the results of which will be turned over to OMB and then reported to Congress. And to secure the nation against cyberattacks, Clinton in 1998 issued Presidential Decision Directive 63, which requires that agencies and industry protect the systems that support the nation's critical infrastructure, such as power, water and telecommunications.

Agencies are implementing the plans they developed in conjunction with the new Critical Infrastructure Assurance Office, but there is much more to do in this area to meet PDD 63's May 2003 deadline, said John Spotila, former administrator of OMB's Office of Information and Regulatory Affairs. One example is finding the resources to finish the Federal Bridge Certification Authority, a mechanism to enable agencies to exchange digital certificates that authenticate users and encrypt data on transactions involving critical systems.

A two-year campaign that prompted the Department of Homeland Security to issue its first-ever emergency directive to agencies to shore up cyber defenses appears in part to have been an attempt to spy on U.S. government internet traffic.